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In view of the foregoing it is respectfully requested that this Petition be granted 

The Commissioner is hereby authorized to charge Deposit Account No. 20-0780/MPOR- 
26,491 any additional fees associated with this Petition or credit any overpayment. 
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STATEMENT OF MICHAEL MALONE EXPLAINING WHY THIS PATENT 
APPLICATION CONTRIBUTES TO COUNTERING TERRORISM 

Applicants present inventive concept is directed to an apparatus is disclosed for recording 
image or other data in real time. The apparatus includes a capture device for capturing the image 
or other information. Once captured, a local verification device is operable to indelibly mark the 
captured image or other information with the date, time, location and information identifying the 
creator of the data. A transmitter is provided for transmitting the locally verified captured 
image or other information in real time to a secure storage facility. The capture device is 
operable, after the locally verified captured image or other information is transmitted to the 
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secure storage facility, to receive and verify acknowledgment of the receipt of the transmitted 
locally verified captured image or other information to the storage facility. 

One of the central embodiments of the submitted FORENSIC COMMUNICATION 
APPARATUS AND METHOD patent Application; for which we are now requesting that 
advanced out of turn for examination be provided, describes an apparatus, methods and means 
for capturing, securing, encrypting, transmitting digital images(s), video clip(s), text, sound, and 
other digitized data to a secure remote digital repository for secure, tamper resistant, non- 
repudiation storage and authorized personnel only retrieval. 

With the advent of digital media, it has become increasingly easy to copy, counterfeit, 
falsify and misuse digital information of all kinds. Digital media can be altered in ways that defy 
detection and time and date stamps can be easily changed with freely available software tools. 

Furthermore, this invention provides for the secure non-repudiation of the source and 
exact time and location of the captured digital images by permanently embedding non- 
repudiation Digital Certificates steganographically within the captured images. This inventive 
embodiment is clearly useful for evidentiary and other purposes. 

Within the new world of security sensitivity lies the potential for inadvertent or deliberate 
dissemination of captured images that pose a threat to the privacy of the individual. Our 
invention provides a method and means that only authorized personnel can retrieve and decipher 
the images and attendant data. 

This invention is directly related to the United States Homeland Security initiatives 
relating to counter-terrorism inventions as defined in 18 U.S.C. 2331, as well as law 
enforcement and commercial applications. 
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ADDITIONAL INFORMATION 



On June 1, 2004, Bloomberg News announced the Department of Homeland Security 
awarded a 10 year contract worth as much as $10 billion to a group led by Accenture Ltd. to 
develop a system to help track visitors to the United States. It will help implement a security 
program to collect and share data on foreigners entering the United States as part of the U. S. - 
Visit program to protect against terrorism, the department said. 

According to sources, this security program will be designed to protect against terrorism 
by incorporating a person's photograph, fingerprints and other information contained in his or 
her visa and passport and then wirelessly transmit the information to a secure data repository for 
digital archiving. 

As the Homeland Security rolls out their initiatives for border patrol, personnel clearing 
United Sates Customs and tracking personnel entering and leaving the United States, security 
within airports, trains or other public security or other forensic applications, the submitted patent 
and invention addresses and invents many of these requirements. 

By definitively being able to identify the source, exact time, place and date of the original 
captured image; by securely transmitting and storing said images and attendant data, and by 
assuring that only authorized personnel can access and decipher the images and data and that the 
original images and data have not been tampered with our invention clearly has numerous 
beneficial uses. Given the foregoing, Applicants respectfully request that our application be 
granted Special Status for Examiner's review and Office Action. 
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I hereby declare that all statements made herein of my own knowledge are true and that 
all statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code, and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 




Michael Malone 
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INFORMATION DISCLOSURE STATEMENT 



In accordance with the requirements of 37 C.F.R. §§ 1.56, 1.97, and 1.98, attached please 
find a Form PTO SB/08 listing information for consideration by the Office in connection with its 
examination of the above-captioned patent application. A copy of the non-patent literature 
document is enclosed herewith. 



Applicants request that this information disclosure statement be considered and that a copy 
of the Form PTO SB/08 be returned to the undersigned indicating the consideration of each 
document listed. 



REMARKS 



Applicants submit that no representation is made, and no representation is intended, that 
more relevant material does not exist, or that the order of presentation of these materials in any way 
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reflects their relevant pertinence. The listing on the attached Form PTO SB/08 is not intended to 
constitute an admission of any kind. Specifically, this presentation is not an admission that any of 
the items listed are properly citable against the above-identified application as prior art. Applicants 
respectfully submit that their invention is patentable over the documents listed on Form PTO SB/08. 

To Applicant's knowledge, this information disclosure statement is being filed before the 
mailing date of a first Office Action on the merits. Therefore, pursuant to 37 C.F.R. § 1.97(b)(3), 
no fee is believed necessary for its consideration. Please charge any necessary fees or deficiencies 
in fees necessary for the filing of this paper or credit any overpayment to Deposit Account No. 20- 
0780/MPOR-26,491 of HOWISON & ARNOTT, L.L.P. 
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Dallas, Texas 75374-1715 
Tel. (972)479-0462 
Fax. (972) 479-0464 
June 29, 2004 
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HMAC: Keyed-Hashing for Message Authentication 

Status of This Memo 

This memo provides information for the Internet community. This 
memo 

does not specify an Internet standard of any kind. Distribution of 
this memo is unlimited. 



Abstract 



This document describes HMAC, a mechanism for message authentication 
using cryptographic hash functions. HMAC can be used with any 
iterative cryptographic hash function, e.g., MD5, SHA-1, in 
combination with a secret shared key. The cryptographic strength of 
HMAC depends on the properties of the underlying hash function. 



1. Introduction 



Providing a way to check the integrity of information transmitted 
over or stored in an unreliable medium is a prime necessity in the 
world of open computing and communications. Mechanisms that provide 
such integrity check based on a secret key are usually called 
"message authentication codes" (MAC) . Typically, message 
authentication codes are used between two parties that share a 
secret 



key in order to validate information transmitted between these 
parties. In this document we present such a MAC mechanism based on 
cryptographic hash functions. This mechanism, called HMAC, is based 
on work by the authors [BCK1] where the construction is presented 

and 

cryptographically analyzed. We refer to that work for the details on 
the rationale and security analysis of HMAC, and its comparison to 
other keyed-hash methods. 

HMAC can be used in combination with any iterated cryptographic hash 
function. MD5 and SHA-1 are examples of such hash functions. HMAC 
also uses a secret key for calculation and verification of the 
message authentication values. The main goals behind this 
construction are 

* To use, without modifications, available hash functions. 

In particular, hash functions that perform well in software, 
and for which code is freely and widely available. 

* To preserve the original performance of the hash function without 
incurring a significant degradation. 

* To use and handle keys in a simple way. 

* To have a well understood cryptographic analysis of the strength 

of 

the authentication mechanism based on reasonable assumptions on 

the 

underlying hash function. 

* To allow for easy replaceability of the underlying hash function 

in 

case that faster or more secure hash functions are found or 
required . 

This document specifies HMAC using a generic cryptographic hash 
function (denoted by H) . Specific instantiations of HMAC need to 
define a particular hash function. Current candidates for such hash 
functions include SHA-1 [SHA] , MD5 [MD5], RIPEMD-128/160 [RIPEMD] . 
These different realizations of HMAC will be denoted by HMAC-SHA1, 
HMAC-MD5 , HMAC-RIPEMD, etc. 

Note: To the date of writing of this document MD5 and SHA-1 are the 
most widely used cryptographic hash functions. MD5 has been recently 
shown to be vulnerable to collision search attacks [Dobb] . This 
attack and other currently known weaknesses of MD5 do not compromise 
the use of MD5 within HMAC as specified in this document (see 
[Dobb]); however, SHA-1 appears to be a cryptographically stronger 
function. To this date, MD5 can be considered for use in HMAC for 
applications where the superior performance of MD5 is critical. In 
any case, implementers and users need to be aware of possible 
cryptanalytic developments regarding any of these cryptographic hash 
functions, and the eventual need to replace the underlying hash 
function. (See section 6 for more information on the security of 
HMAC. ) 



2. Definition of HMAC 



The definition of HMAC requires a cryptographic hash function, which 
we denote by H, and a secret key K. We assume H to be a 
cryptographic 

hash function where data is hashed by iterating a basic compression 
function on blocks of data. We denote by B the byte-length of such 
blocks (B=64 for all the above mentioned examples of hash 
functions) , 

and by L the byte-length of hash outputs (L=16 for MD5 , L=20 for 
SHA-1) . The authentication key K can be of any length up to B, the 
block length of the hash function. Applications that use keys 
longer 

than B bytes will first hash the key using H and then use the 
resultant L byte string as the actual key to HMAC. In any case the 
minimal recommended length for K is L bytes (as the hash output 
length). See section 3 for more information on keys. 

We define two fixed and different strings ipad and opad as follows 
(the 1 i 1 and ' o 1 are mnemonics for inner and outer): 

ipad = the byte 0x36 repeated B times 
opad = the byte 0x5C repeated B times. 

To compute HMAC over the data 'text 1 we perform 

H(K XOR opad, H (K XOR ipad, text)) 

Namely, 

(1) append zeros to the end of K to create a B byte string 
(e.g., if K is of length 20 bytes and B=64, then K will be 

appended with 44 zero bytes 0x00) 

(2) XOR (bitwise exclusive-OR) the B byte string computed in step 
(1) with ipad 

(3) append the stream of data 1 text ' to the B byte string resulting 
from step (2) 

(4) apply H to the stream generated in step (3) 

(5) XOR (bitwise exclusive-OR) the B byte string computed in 
step (1) with opad 

(6) append the H result from step (4) to the B byte string 
resulting from step (5) 

(7) apply H to the stream generated in step (6) and output 
the result 

For illustration purposes, sample code based on MD5 is provided as 

an 

appendix. 
3. Keys 

The key for HMAC can be of any length (keys longer than B bytes are 
first hashed using H) . However, less than L bytes is strongly 
discouraged as it would decrease the security strength of the 
function. Keys longer than L bytes are acceptable but the extra 
length would not significantly increase the function strength. (A 
longer key may be advisable if the randomness of the key is 
considered weak.) 



Keys need to be chosen at random (or using a cryptographically 
strong 

pseudo-random generator seeded with a random seed) , and periodically 
refreshed. (Current attacks do not indicate a specific recommended 
frequency for key changes as these attacks are practically 
infeasible. However, periodic key refreshment is a fundamental 
security practice that helps against potential weaknesses of the 
function and keys, and limits the damage of an exposed key.) 

4 . Implementation Note 

HMAC is defined in such a way that the underlying hash function H 

can 

be used with no modification to its code. In particular, it uses the 
function H with the pre-defined initial value IV (a fixed value 
specified by each iterative hash function to initialize its 
compression function) . However, if desired, a performance 
improvement can be achieved at the cost of (possibly) modifying the 
code of H to support variable IVs . 

The idea is that the intermediate results of the compression 
function 

on the B-byte blocks (K XOR ipad) and (K XOR opad) can be 
precomputed 

only once at the time of generation of the key K, or before its 
first 

use. These intermediate results are stored and then used to 
initialize the IV of H each time that a message needs to be 
authenticated. This method saves, for each authenticated message, 
the application of the compression function of H on two B-byte 
blocks 

(i.e., on (K XOR ipad) and (K XOR opad)). Such a savings may be 
significant when authenticating short streams of data. We stress 
that the stored intermediate values need to be treated and protected 
the same as secret keys. 

Choosing to implement HMAC in the above way is a decision of the 
local implementation and has no effect on inter-operability . 

5. Truncated output 

A well-known practice with message authentication codes is to 
truncate the output of the MAC and output only part of the bits 
(e.g., [MM, ANSI]). Preneel and van Oorschot [PV] show some 
analytical advantages of truncating the output of hash-based MAC 
functions . The results in this area are not absolute as for the 
overall security advantages of truncation. It has advantages (less 
information on the hash result available to an attacker) and 
disadvantages (less bits to predict for the attacker) . Applications 
of HMAC can choose to truncate the output of HMAC by outputting the 

t 

leftmost bits of the HMAC computation for some parameter t (namely, 
the computation is carried in the normal way as defined in section 2 
above but the end result is truncated to t bits) . We recommend that 
the output length t be not less than half the length of the hash 



output (to match the birthday attack bound) and not less than 80 
bits 

(a suitable lower bound on the number of bits that need to be 
predicted by an attacker) . We propose denoting a realization of 
HMAC 

that uses a hash function H with t bits of output as HMAC-H-t. For 
example, HMAC-SHAl-80 denotes HMAC computed using the SHA-1 function 
and with the output truncated to 80 bits. (If the parameter t is 

not 

specified, e.g. HMAC-MD5, then it is assumed that all the bits of 

the 

hash are output.) 
6. Security 

The security of the message authentication mechanism presented here 
depends on cryptographic properties of the hash function H: the 
resistance to collision finding (limited to the case where the 
initial value is secret and random, and where the output of the 
function is not explicitly available to the attacker), and the 
message authentication property of the compression function of H 
when 

applied to single blocks (in HMAC these blocks are partially unknown 
to an attacker as they contain the result of the inner H computation 
and, in particular, cannot be fully chosen by the attacker) . 

These properties, and actually stronger ones, are commonly assumed 
for hash functions of the kind used with HMAC. In particular, a hash 
function for which the above properties do not hold would become 
unsuitable for most (probably, all) cryptographic applications, 
including alternative message authentication schemes based on such 
functions. (For a complete analysis and rationale of the HMAC 
function the reader is referred to [BCK1].) 

Given the limited confidence gained so far as for the cryptographic 
strength of candidate hash functions, it is important to observe the 
following two properties of the HMAC construction and its secure use 
for message authentication: 

1. The construction is independent of the details of the particular 
hash function H in use and then the latter can be replaced by any 
other secure (iterative) cryptographic hash function. 

2. Message authentication, as opposed to encryption, has a 
"transient" effect. A published breaking of a message authentication 
scheme would lead to the replacement of that scheme, but would have 
no adversarial effect on information authenticated in the past. 

This 

is in sharp contrast with encryption, where information encrypted 
today may suffer from exposure in the future if, and when, the 
encryption algorithm is broken. 

The strongest attack known against HMAC is based on the frequency of 
collisions for the hash function H ("birthday attack") [PV,BCK2], 

and 

is totally impractical for minimally reasonable hash functions. 



As an example, if we consider a hash function like MD5 where the 
output length equals L=16 bytes (128 bits) the attacker needs to 
acquire the correct message authentication tags computed (with the 
_same_ secret key K!) on about 2**64 known plaintexts. This would 
require the processing of at least 2**64 blocks under H, an 
impossible task in any realistic scenario (for a block length of 64 
bytes this would take 250,000 years in a continuous lGbps link, and 
without changing the secret key K during all this time) . This 
attack 

could become realistic only if serious flaws in the collision 
behavior of the function H are discovered (e.g. collisions found 
after 2**30 messages) . Such a discovery would determine the 
immediate 

replacement of the function H (the effects of such failure would be 
far more severe for the traditional uses of H in the context of 
digital signatures, public key certificates, etc.). 

Note: this attack needs to be strongly contrasted with regular 
collision attacks on cryptographic hash functions where no secret 

key 

is involved and where 2**64 off-line parallelizable (!) operations 
suffice to find collisions. The latter attack is approaching 
feasibility [VW] while the birthday attack on HMAC is totally 
impractical. (In the above examples, if one uses a hash function 
with, say, 160 bit of output then 2**64 should be replaced by 
2**80.) 

A correct implementation of the above construction, the choice of 
random (or cryptographically pseudorandom) keys, a secure key 
exchange mechanism, frequent key refreshments, and good secrecy 
protection of keys are all essential ingredients for the security of 
the integrity verification mechanism provided by HMAC. 

Appendix Sample Code 

For the sake of illustration we provide the following sample code 

for 

the implementation of HMAC-MD5 as well as some corresponding test 
vectors (the code is based on MD5 code as described in [MD5] ) . 

/* 

** Function: hmac md5 
*/ 

void 

hmac_md5 (text, 
unsigned char* 
int 

unsigned char* 
*/ 
int 

caddr_t 
*/ 

{ 

MD5_CTX context; 

unsigned char k_ipad[65]; /* inner padding - 



text_len, key, key_len, digest) 
text; /* pointer to data stream */ 

text_len; /* length of data stream */ 

key; /* pointer to authentication key 

key_len; /* length of authentication key */ 

digest; /* caller digest to be filled in 



* key XORd with ipad 
*/ 

unsigned char k_opad[65]; /* outer padding - 

* key XORd with opad 
*/ 

unsigned char tk[16]; 
int i; 

/* if key is longer than 64 bytes reset it to key=MD5(key) */ 
if (key_len > 64) { 

MD5_CTX tctx; 

MD5Init (&tctx) ; 

MD5Update (Stctx, key, key_len) ; 
MD5Final (tk # fitctx) ; 

key = tk; 
key_len = 16; 

} 

/* 

* the HMAC_MD5 transform looks like: 

* MD5 (K XOR opad, MD5 (K XOR ipad, text)) 
* 

* where K is an n byte key 

* ipad is the byte 0x36 repeated 64 times 

* opad is the byte 0x5c repeated 64 times 

* and text is the data being protected 
*/ 

/* start out by storing key in pads */ 
bzero( k_ipad, sizeof k_ipad) ; 
bzero( k_opad, sizeof k_opad) ; 
bcopy ( key, k_ipad, key_len) ; 
bcopy ( key, k_opad, key_len) ; 

/* XOR key with ipad and opad values */ 
for (i=0; i<64; i++) { 

k_ipad[i] A = 0x36; 

k_opad[i] A = 0x5c; 

} 

/* 

* perform inner MD5 
*/ 

MD5Init (&context) ; /* init context for 1st 

* pass */ 

MD5Update Ucontext, k_ipad, 64) /* start with inner pad * 

MD5Update (&context, text, text_len) ; /* then text of datagram 

MD5Final (digest, &context) ; /* finish up 1st pass */ 

/* 

* perform outer MD5 
*/ 

MD5Init (&context) ; /* init context for 2nd 

* pass */ 



MD5Update (Scontext, k_opad, 64); /* start with outer pad */ 

MD5Update (&context, digest, 16); /* then results of 1st 

* hash */ 

MD5Final (digest, &context) ; /* finish up 2nd pass */ 

} 

Test Vectors (Trailing '\0 f of a character string not included in 
test) : 



key - OxObObObObObObObObObObObObObObObOb 

key_len = 16 bytes 

data = "Hi There" 

data_len = 8 bytes 

digest = 0x9294727a3638bblcl3f 48ef 8158bf c9d 

key - "Jefe" 

data = "what do ya want for nothing?" 

data_len = 28 bytes 

digest = 0x750c783e6ab0b503eaa86e310a5db738 



key = 



0 x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 



key_len 
data = 



data_len 
digest = 



16 bytes 

OxDDDDDDDDDDDDDDDDDDDD. . . 
. . DDDDDDDDDDDDDDDDDDDD . . . 
. .DDDDDDDDDDDDDDDDDDDD. . . 
. .DDDDDDDDDDDDDDDDDDDD. . . 
. .DDDDDDDDDDDDDDDDDDDD 
50 bytes 

0x56be34521dl44c88dbb8c733f0e8b3f6 
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